Installing SSL Certificates for a domain has never been easier now, with certbot and Let’s Encrypt.

Let’s Encrypt is a service by the non profit Internet Security Research Group. They offer short lived SSL Certificates (90days) for free for a domain that you own. Read more about them here.

certbot is a tool by the Electronic Frontier Foundation which handles the creating and renewal of Let’s Encrypt SSL Certificates. Read more certbot here.

If you are wondering why they are offering this service free of cost, it is because they want to move the entire internet into using SSL certificates, since this makes the internet safer, especially from sniffing attacks.

In this tutorial, we are going to learn how to install SSL Certificates to an apache web-server on Ubuntu using certbot. While certbot does offer wildcard certificates, I currently do not have the need for one. This guide maybe updated at a later date with a wilcard certificate process.

Certbot offers a really simple and easy to follow guide, with options for various webservers and OSes available. This guide is mostly going to repeat the steps involved. Check out their official instructions here.

Install a single domain certbot certificate to Apache in Ubuntu 20.x

1. Pre-requisites:

• Your domain must already point to the web-server IP that you are planning to install certbot on.
• Your web-server needs to be online and accessible from the internet. ie.) It can have a dynamic IP but it must be a public one. It cannot be a CG-NAT IP, this is because certbot needs to verify that you own the domain you say you own before providing you with a certificate.
• Port 80 on your web-server needs to be open. If you are running this at home, it might involve opening port 80 on your router. Check with the manufacturer docs for more information. If you are running it on a VPS, contact the hosting provider for more details.

2. First, update the system to the latest configuration.

sudo apt update
sudo apt full-upgrade

2. Install snapd. This comes installed by default since Ubuntu 18.04, but if yours doesn’t have it, install with

sudo apt install snapd
sudo snap install core

3. Install certbot using snap

sudo snap install --classic certbot

4. Link certbot to your path so that you can call it from the terminal

sudo ln -s /snap/bin/certbot /usr/bin/certbot

5. certbot has 2 options, it can get the ssl certificate and make changes to your apache configuration, or it can just get the certificates and store them and you can change the apache configuration by yourself. Use only one of the 2 commands below

sudo certbot --apache
##This gets the ssl certificate and makes changes to your apache configuration.
sudo certbot --certonly apache

When either of the above commands is run, it will ask a few questions such as:

• Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel): <your-email-address-here>
• Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? Y
• Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot? We’d like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. <Y-or-N>
• Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter ‘c’ to cancel): <your-domain-name-here>

Once you answer these questions, it will request a certificate for you from letsencrypt. If everything is satisfied, your certificates will be registered and you are good to go.

If you used the --certonly option, your certificates are stored in /etc/letsencrypt/live in a folder with the domain name you gave when asking for the certificate.

If you used the –apache option, you will now find your site is using HTTPS and all HTTP requests are redirected to HTTPS.!!

Note that these certificates are short-lived (only 90 days), however certbot will automatically renew them for you. To test that this renewal runs successfully, run the following command:

sudo certbot renew --dry-run

Congratulations, you have successfully installed an SSL Certificate for your domain and made the internet a little more safer. As always, if you find any difficulty, let me know in the comments and I’ll help you as soon as possible.

Modifying the domain name on your SSL Certificate

Sometimes, you might have got a certificate for a domain name and later updated the website to a different domain name and now you might want to change your certificate to the new one or add the other domain also to your certificate. To do this, we can update the domains on the certificate.

1. First, list all certificates installed on your system by certbot with the command

sudo certbot certificates

This will give an output like this.

Found the following certs:
  Certificate Name: randomdomain.com
    Serial Number: 4wgurhgui37782e201c7639ecbe1d130727
    Key Type: ECDSA
    Domains: randomdomain.com
    Expiry Date: 2024-08-13 06:22:54+00:00 (VALID: 88 days)
    Certificate Path: <cert-path>
    Private Key Path: <key-path>

2. Then update your domain name by adding whatever domain you want to add after the -d flag.

certbot certonly --cert-name randomdomain.com -d randomdomain.com,newrandomdomain.com

This will result in your certificate having validity for both randomdomain.com and newrandomdomain.com. If instead you want only newrandomdomain.com, read below.

3. If instead, you want to change the certificate to reflect only the new domain, you have 2 options, you can either update the domain name using --cert-name option or delete the certificate and get a new one. If you’d like to follow the 2nd option, read below.

certbot certonly --cert-name randomdomain.com -d newrandomdomain.com

Revoking and deleting a certificate

You can revoke and delete a certificate you no longer use by running the revoke sub-command. By default, when running the revoke sub-command, after revoking the certificate, certbot will ask if you want to delete the certificate. It is suggested to agree to this option. If you do not agree, the certificate will remain and certbot will attempt to renew the certificate when it expires, which will fail(since it is no longer associated with the domain).

To revoke a certificate, run the command,

certbot revoke --cert-name randomdomain.com

Note – Do not manually delete the certificate from /etc/letsencrypt. Instead use the delete subcommand.

certbot delete --cert-name randomdomain.com

Do not run the delete sub-command directly, if you do so, certbot will not revoke the certificate before deleting it, this can result in issues down the line. It is always good practice to revoke the certificate first and delete it later, especially if you are not planning on using the certificate elsewhere.

To safely delete a certificate, you need to make sure that all references to the certificate are removed from your web-server configuration files. To do this, you first check if there is any mention of the certificate in your configuration file and. For every mention you find in the configuration file, you replace it with a self signed certificate and then delete the certificate by using the cerbot --delete command. For a step-by-step process, read here.

For more certbot docs and detailed explanation of it, read their official docs here.